There has been an increase in the number of large and small organisations suffering security breaches (90% of large organisations reported that they suffered a security breach – up from 81% in 2014);

For large organisations, the median number of security breaches for a year was 14;

The average cost of the worst single breach suffered by large organisations has more than doubled (from £600k to £1.46m);

Despite this increased severity, employee vigilance appears not to be improving as the 50% of the worst breaches suffered were attributed to inadvertent human error (up from 31% in 2014).

On the back of the above report, the Digital Economy Minister, Ed Vaizey, spoke publically to stress the importance of taking cybersecurity seriously in stating, “The UK’s digital economy is strong and growing, which is why British businesses remain an attractive target for cyber-attack and the cost is rising dramatically. Businesses that take this threat seriously are not only protecting themselves and their customers’ data but securing a competitive advantage. I would urge businesses of all sizes to make use of the help and guidance available from government and take up the Cyber Essentials Scheme.”

EU policy and regulatory developments

Network Information Security Directive (NISD): EurActiv is reporting that the NISD is still being held up by Member State concerns that the mandatory reporting clause is detrimental to national security. Udo Helmbrecht, the executive director of ENISA, is quoted as saying, “Those who made the legislation fear it won’t have the effect in the end that we want it to have. On the other hand, the member states fear if it’s mandatory and too detailed, they’ll sacrifice some of their interests.” The latest Presidency discussion document on the draft Directive, dated 5 June, has been noted on the Consilium website, but not yet uploaded (and does not appear to be available in the public domain). The Directive is on the agenda for discussion tomorrow (9 June) by the Council of the EU’s Working Party on Telecoms and Information Society.

General Data Protection Regulation (GDPR): The EPP Group has published the European Parliament’s proposed data protection reform timetable. According to the document:

The first trilogue meeting on the Regulation will take place on 24 June 2015;

The institutions appear to be attempting to get a few easy wins under their belt by discussing territorial scope (Article 3) and international transfers (Chapter V), on which they largely agree, before the summer recess;

The more contentious issues of data protection principles (Chapter II), rights of individuals (Chapter III) and controllers and processors (Chapter IV) are set to be tackled in September;

Things get no easier in October as the intensely debated issues of data protection authorities (Chapter VI) and liability (Chapter VIII) are set to be discussed;

If all goes well, the other remaining issues within the trilogue discussions are scheduled to be concluded before the end of the year.

Executing this timetable looks to be an exercise in compromise and discipline, yet with the whole of Europe watching, all three institutions will be keen to progress.

Statewatch has published the Council Presidency’s draft consolidated 264-page text. This is the text that the President will attempt to get the Council’s agreement on, on 15-16 June, in order to keep to the above proposed timetable.

US policy and regulatory developments

Reuters is reporting that the threat from China and North Korea has caused the US to bring Japan under its “cyber defence umbrella”. US and Japanese defence officials unveiled that they planned to enhance the US-Japan Cyber Defence Working Group and Japan’s cyber defence unit, which currently only has 90 members, by increasing their ability to retaliate with cyber weapons.

Asia policy and regulatory developments

According to E&T (who are quoting China Daily and Chen Wai of the Ministry of Industry and Information Technology), China is planning to unveil a five-year cybersecurity plan that prioritises the protection of state secrets and data. In order to do so, the Chinese government are reportedly set to choose domestic, rather than Western, software within all government agencies.

Attacks, reports and other news

The BBC is reporting on a potentially huge security breach within all US government departments. The US Office of Personnel Management (OPM) has confirmed that an attack they became aware of in April may have compromised the personal data of nearly four million government employees across all federal agencies. The OPM has publically stated that they believe the hackers are based in Beijing. US officials remain concerned that security clearance information on government officials could have been targeted by the hackers, revealing many more security weaknesses. China is unhappy with accusations that the threat has come from them and has publically stated that the US’s statements on the matter are “irresponsible and unscientific”. Following comments from the White House that they face a “dedicated threat” and an “ever evolving threat, the FBI and DHS are now investigating the matter further.

The New York Times is reporting a another US security breach after the IRS Commissioner, John Koskinen, admitted that hackers managed to gain access to more than 100,000 taxpayers’ records. Hackers apparently exploited a new online system for retrieving tax returns and used them to file fraudulent claims potentially reaching $50 million in value.

SC Magazine is reporting that Russia is the primary suspect in a recent cyber attack on the German Bundestag. Trojan malware was used to compromise the Bundestag network and steal data from over 20,000 lawmakers’ computers. Though no official statement has been released, sources within the Bundestag’s tech department have apparently stated that the source code indicated a state-sponsored, Russian attack.

Reuters is reporting that the proposed $19 billion settlement agreed between Target and MasterCard, pertaining to the losses suffered during Target’s high-profile security breach in 2013, has collapsed after a number of banks refused to sign up to the deal. The settlement was reportedly contingent on 90% of the banks that issued the MasterCard accounts being in agreement and then foregoing their right to pursue a damages claim. Consequently, it appears that the banks will press ahead with lawsuits against Target instead.

The CERT-UK weekly update for 4 June 2015 details recent patches distributed by Cisco, HP, IBM, Linux and Aruba Networks in order to address high level vulnerabilities.

Bloomberg is reporting that a cyber attack on Japan’s pension service has leaked the details of 1.25 million personal records. The attack has caused embarrassment for Prime Minister Shinzo Abe after he was publicly criticised for the loss of 50 million pension records back in 2007.

M&A news

An joint announcement by Visa and FireEye that they are to collaborate to help merchants and issuers to protect payment data is being heralded by 247WallSt as a “game changer”. Their new suite of tools and services aims to quickly detect and respond to attacks by sharing threat intelligence via email.

UK cybersecurity firm, Sophos, is hoping to raise £100 million when it launches its £1billion IPO shortly. The company had previously planned to go public in 2007 but postponed due to the global financial crisis.

And finally…

The BBC is reporting on cybersecurity researcher, Natalia Kolesova, who has apparently discovered that cyber criminals can be haggled down. While investigating a piece of ransomware in which the attacker requested €250, Ms Kolesova managed to negotiate the release and return of her data down by 50% by pleading with the perpetrator about her inability to pay.

Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.